Format String Vulnerability in CAPWAP fast-failover mode
Monitor6.7FG-IR-25-795Feb 10, 2026
Fortinet
IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
A format string vulnerability exists in FortiOS CAPWAP fast-failover configuration handling. An authenticated administrator can inject crafted characters into specific configuration fields to trigger arbitrary code execution on the FortiGate firewall with admin privileges. Affected versions: FortiOS 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, and all 7.0.x versions.
What this means
What could happen
An authenticated administrator with high-level access could run arbitrary commands on the FortiGate firewall through specially crafted configuration inputs, potentially compromising network traffic inspection, routing decisions, and the integrity of all systems behind the firewall.
Who's at risk
Network security teams operating FortiGate firewalls in any industry (utilities, manufacturing, healthcare, finance) should prioritize this if running FortiOS 7.0, 7.2, 7.4.0-7.4.9, or 7.6.0-7.6.4. The vulnerability affects the core firewall appliance and its configuration engine.
How it could be exploited
An attacker with valid admin credentials accesses the FortiGate management interface (web UI or CLI) and injects malicious format string characters into CAPWAP fast-failover configuration fields. This triggers a format string vulnerability that allows code execution on the firewall with admin privileges.
Prerequisites
- Valid FortiOS admin credentials
- Access to FortiGate management interface (typically restricted to LAN/management network)
- Ability to modify CAPWAP fast-failover configuration settings
Authentication required (high-privilege admin account)Local access required to management interfaceLow attack complexityHigh impact to firewall integrity
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
FortiOS7.6.0 - 7.6.47.6.5+
FortiOS7.4.0 - 7.4.97.4.10+
FortiOS7.2.0 - 7.2.11Migrate to fixed release
FortiOS7.0 all versionsMigrate to fixed release
Remediation & Mitigation
0/6
Do now
0/2HARDENINGRestrict admin account access to trusted users only and review active admin accounts for unnecessary accounts
HARDENINGLimit management interface access to a dedicated management network or VPN rather than allowing access from all network segments
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
FortiOS
HOTFIXUpdate FortiOS to version 7.6.5 or later if running 7.6.x branch
HOTFIXUpdate FortiOS to version 7.4.10 or later if running 7.4.x branch
HOTFIXMigrate from FortiOS 7.2 to a supported fixed release (7.4.10+, 7.6.5+, or newer branch)
HOTFIXMigrate from FortiOS 7.0 (end-of-life) to a currently supported and patched release
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0d0b708d-7fc8-4ef4-a1db-53e5fdfdb8c4Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.